If you are hit by a hacker, is it legal to hit back? Peter Judge thinks it’s time to test Active Defence in court

Should victims of cyber crime take the law into their own hands and fight back? We heard a lot of arguments about this in 2012, but in 2013, it is time to test the idea in court.

At the moment the idea of “active defence” is a legal grey area, but US attorney David Willson (pictured) is sure cyber crime victims are within their rights to retaliate, in online self-defence. And last week, he told a webinar I chaired that he is itching to test that notion in court.

Is Active Defence even legal?

It was the former IT security chief of the FBI, Shawn Henry, who made active defence an issue in 2012 by founding CrowdStrike, a company makes it pretty clear it doesn’t have a problem with hacking back against attackers.

CrowdStrike proposes using honeypots – tempting data that will lure hackers into a trap. It also offers to “disrupt” attackers’ infrastructure, but wouldn’t tell TechWeekEurope precisely how it plans to do this.

Willson says that active defence is a matter of intelligence, figuring out who is actually attacking you, instead of putting in a “huge hodgepodge of security measures” to stop any threat. “If you picture security as like a fishing net, there are a lot of holes where things can get through.”

Persistent attacks may be bleeding hundreds of thousands of dollars from companies, and in that situation, they should be within their rights to respond, says Willson: “Law enforcement may not be the answer because you don’t want to harm your reputation, or the law enforcement agencies may be too overloaded to deal with your case.”

The road to defence should involve careful escalation, he says, starting with collecting intelligence, for which honeypots are a vital tool. Seeding honeypots with fake data should be no problem at all, he says: “If you put a fake document on your network in a honeypot, and someone comes along and steals it, I don’t see a problem with that.”

Beyond that, you can block the attack, and he suggests seeding your honeypot data with malware might be justifiable, especially if the attack is automated. Under US law on computer misuse, he thinks an automated response to an automated attack may be justified.

Active defence might install a beacon on the honeypot data, so the attacking system can be tracked and identified, and it might include malware that could allow the original victim to retaliate and shut the attack down by seizing control of the attacking system.

The problem is that active defence is likely to hurt people who most would regard as innocent bystanders. Capable hackers will never use their own systems for an attack – they will subvert another system, or a whole botnet of servers. When a victim strikes back, they are likely to be hitting servers running in companies that are completely unaware of any involvement in the attack. This could cross a legal line, warned Sarb Sembi, who chairs the ISACA security professionals’ organisation’s European subcommittee, also on our webinar.

Willson’s response is that people whose systems have been suborned, should not necessarily be viewed as innocent: “How innocent are they if their network has been attacked, and is being used to go after others?”

For a company to take this step, however, they should first exhaust other options, and document their process clearly. They should also be prepared to compensate the companies who are hurt in the retaliation. But fundamentally, Willson believes that companies who fail to keep their systems secure deserve some level of suffering.

At the moment, this kind of thing is happening, but it is happening under-cover by IT departments who are operating without explicit approval, but whose management is happy to turn a blind eye to the activity. Willson wants to see this sort of defence to become more explicit – so the victim that retaliates is ready to justify their actions in the media and – if necessary in the courts: “Active defence puts all the pieces in place so when you come into court, or before the media, you are ready to defend your actions,”.

But will the notion actually be legally tested this year? Willson doesn’t think so: “At the moment, companies are not ready to go to court about it – the leadership prefers not to know.”

And even if it does happen, there is another danger to active defence, brought up by the webinar’s other panelist, Stilianos Vidalis of Staffordshire University. “If we lose control of that honeypot it could be illegal,” he warns. Placing malware on your network, even as bait for a trap to catch bad guys is a dangerous thing. If the hacker is cleverer than you, the honeypot could get taken over, fed with false information, or even used in further attacks against others.

It’s clear from the discussion that there are a lot of things to be sorted out here. Willson just wants companies to be aware of the possibilities: “There’s a lot more options out there than just a response of ‘you can’t do that because it is illegal’. Companies need to explore what they can do to defend themselves.”